Update PowerSTIG to Parse/Apply U_MS_IIS_10-0_Y23M10_STIG #1280

This commit is contained in:
tfs\jhinders 2023-11-17 06:54:17 -07:00
Родитель 55db3d17d0
Коммит 0e59355475
6 изменённых файлов: 609 добавлений и 513 удалений

Просмотреть файл

@ -2,6 +2,8 @@
## [Unreleased] ## [Unreleased]
* Update PowerSTIG to Parse/Apply U_MS_IIS_10-0_Y23M10_STIG: [#1280](https://github.com/microsoft/PowerStig/issues/1280)
## [4.18.0] - 2023-09-05 ## [4.18.0] - 2023-09-05
* Update PowerSTIG to Parse/Apply Red Hat Enterprise Linux 7 STIG V3R12: [#1254](https://github.com/microsoft/PowerStig/issues/1254) * Update PowerSTIG to Parse/Apply Red Hat Enterprise Linux 7 STIG V3R12: [#1254](https://github.com/microsoft/PowerStig/issues/1254)

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -1,97 +0,0 @@
<!--
The organizational settings file is used to define the local organizations
preferred setting within an allowed range of the STIG.
Each setting in this file is linked by STIG ID and the valid range is in an
associated comment.
-->
<OrganizationalSettings fullversion="2.5">
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
<OrganizationalSetting id="V-220704" ValueData="" />
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
<OrganizationalSetting id="V-220739" PolicyValue="15" />
<!-- Ensure ''V-220740'' -le '3' -and ''V-220740'' -ne '0'-->
<OrganizationalSetting id="V-220740" PolicyValue="3" />
<!-- Ensure ''V-220741'' -ge '15'-->
<OrganizationalSetting id="V-220741" PolicyValue="15" />
<!-- Ensure ''V-220742'' -ge '24'-->
<OrganizationalSetting id="V-220742" PolicyValue="24" />
<!-- Ensure ''V-220743'' -le '60' -and ''V-220743'' -ne '0'-->
<OrganizationalSetting id="V-220743" PolicyValue="30" />
<!-- Ensure ''V-220744'' -ge '1'-->
<OrganizationalSetting id="V-220744" PolicyValue="1" />
<!-- Ensure ''V-220745'' -ge '14'-->
<OrganizationalSetting id="V-220745" PolicyValue="14" />
<!-- Ensure ''V-220779'' -ge '32768'-->
<OrganizationalSetting id="V-220779" ValueData="32768" />
<!-- Ensure ''V-220780'' -ge '1024000'-->
<OrganizationalSetting id="V-220780" ValueData="1024000" />
<!-- Ensure ''V-220781'' -ge '32768'-->
<OrganizationalSetting id="V-220781" ValueData="32768" />
<!-- Ensure ''V-220806'' -match '1|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220806" ValueData="1" />
<!-- Ensure ''V-220811.b'' -match '1|3'-->
<OrganizationalSetting id="V-220811.b" ValueData="1" />
<!-- Ensure ''V-220813'' -match '1|3|8'-->
<OrganizationalSetting id="V-220813" ValueData="1" />
<!-- Ensure ''V-220818'' -match '1|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220818" ValueData="1" />
<!-- Ensure 'V-220836.b' -eq 1|2-->
<OrganizationalSetting id="V-220836.b" ValueData="1" />
<!-- Ensure ''V-220837'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220837" ValueData="0" />
<!-- Ensure ''V-220838'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220838" ValueData="0" />
<!-- Ensure ''V-220839'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220839" ValueData="0" />
<!-- Ensure ''V-220847'' -ge '6'-->
<OrganizationalSetting id="V-220847" ValueData="6" />
<!-- Ensure ''V-220854'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220854" ValueData="0" />
<!-- Ensure ''V-220858'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220858" ValueData="0" />
<!-- Ensure location for DoD Root CA 3 certificate is present-->
<OrganizationalSetting id="V-220903.a" Location="" />
<!-- Ensure location for DoD Root CA 4 certificate is present-->
<OrganizationalSetting id="V-220903.b" Location="" />
<!-- Ensure location for DoD Root CA 5 certificate is present-->
<OrganizationalSetting id="V-220903.c" Location="" />
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
<OrganizationalSetting id="V-220905.a" Location="" />
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
<OrganizationalSetting id="V-220905.b" Location="" />
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
<OrganizationalSetting id="V-220906" Location="" />
<!-- Ensure ''V-220911'' -ne 'Administrator'-->
<OrganizationalSetting id="V-220911" OptionValue="" />
<!-- Ensure ''V-220912'' -ne 'Guest'-->
<OrganizationalSetting id="V-220912" OptionValue="" />
<!-- Ensure ''V-220918'' -le '30' -and ''V-220918'' -gt '0'-->
<OrganizationalSetting id="V-220918" ValueData="30" />
<!-- Ensure ''V-220920'' -le '900' -and ''V-220920'' -gt '0'-->
<OrganizationalSetting id="V-220920" ValueData="450" />
<!-- Ensure 'V-220921' is set to the required legal notice before logon-->
<OrganizationalSetting id="V-220921" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
<!-- Ensure ''V-220922'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
<OrganizationalSetting id="V-220922" ValueData="US Department of Defense Warning Statement" />
<!-- Ensure ''V-220923'' -le '10'-->
<OrganizationalSetting id="V-220923" ValueData="10" />
<!-- Ensure ''V-220924'' -match '1|2'-->
<OrganizationalSetting id="V-220924" ValueData="1" />
<!-- Ensure ''V-220955'' -match '2|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220955" ValueData="2" />
<!-- Ensure ''V-252903'' -match '1|2'-->
<OrganizationalSetting id="V-252903" ValueData="1" />
</OrganizationalSettings>

Просмотреть файл

@ -0,0 +1,83 @@
<!--
The organizational settings file is used to define the local organizations
preferred setting within an allowed range of the STIG.
Each setting in this file is linked by STIG ID and the valid range is in an
associated comment.
-->
<OrganizationalSettings fullversion="2.8">
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
<OrganizationalSetting id="V-220704" ValueData="" />
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
<OrganizationalSetting id="V-220739" PolicyValue="" />
<!-- Ensure ''V-220740'' -le '3' -and ''V-220740'' -ne '0'-->
<OrganizationalSetting id="V-220740" PolicyValue="" />
<!-- Ensure ''V-220741'' -ge '15'-->
<OrganizationalSetting id="V-220741" PolicyValue="" />
<!-- Ensure ''V-220742'' -ge '24'-->
<OrganizationalSetting id="V-220742" PolicyValue="" />
<!-- Ensure ''V-220743'' -le '60' -and ''V-220743'' -ne '0'-->
<OrganizationalSetting id="V-220743" PolicyValue="" />
<!-- Ensure ''V-220744'' -ge '1'-->
<OrganizationalSetting id="V-220744" PolicyValue="" />
<!-- Ensure ''V-220745'' -ge '14'-->
<OrganizationalSetting id="V-220745" PolicyValue="" />
<!-- Ensure ''V-220779'' -ge '32768'-->
<OrganizationalSetting id="V-220779" ValueData="" />
<!-- Ensure ''V-220780'' -ge '1024000'-->
<OrganizationalSetting id="V-220780" ValueData="" />
<!-- Ensure ''V-220781'' -ge '32768'-->
<OrganizationalSetting id="V-220781" ValueData="" />
<!-- Ensure ''V-220806'' -match '3|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220806" ValueData="" />
<!-- Ensure ''V-220811.b'' -match '1|3'-->
<OrganizationalSetting id="V-220811.b" ValueData="" />
<!-- Ensure ''V-220813'' -match '1|3|8'-->
<OrganizationalSetting id="V-220813" ValueData="" />
<!-- Ensure ''V-220818'' -match '1|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220818" ValueData="" />
<!-- Ensure 'V-220836.b' -eq 1|2-->
<OrganizationalSetting id="V-220836.b" ValueData="" />
<!-- Ensure ''V-220837'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220837" ValueData="" />
<!-- Ensure ''V-220838'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220838" ValueData="" />
<!-- Ensure ''V-220839'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220839" ValueData="" />
<!-- Ensure ''V-220847'' -ge '6'-->
<OrganizationalSetting id="V-220847" ValueData="" />
<!-- Ensure ''V-220854'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220854" ValueData="" />
<!-- Ensure ''V-220858'' -match '0|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220858" ValueData="" />
<!-- Ensure location for DoD Root CA 3 certificate is present-->
<OrganizationalSetting id="V-220903.a" Location="" />
<!-- Ensure location for DoD Root CA 4 certificate is present-->
<OrganizationalSetting id="V-220903.b" Location="" />
<!-- Ensure location for DoD Root CA 5 certificate is present-->
<OrganizationalSetting id="V-220903.c" Location="" />
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
<OrganizationalSetting id="V-220905" Location="" />
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
<OrganizationalSetting id="V-220906" Location="" />
<!-- Ensure ''V-220911'' -ne 'Administrator'-->
<OrganizationalSetting id="V-220911" OptionValue="" />
<!-- Ensure ''V-220912'' -ne 'Guest'-->
<OrganizationalSetting id="V-220912" OptionValue="" />
<!-- Ensure ''V-220918'' -le '30' -and ''V-220918'' -gt '0'-->
<OrganizationalSetting id="V-220918" ValueData="" />
<!-- Ensure ''V-220920'' -le '900' -and ''V-220920'' -gt '0'-->
<OrganizationalSetting id="V-220920" ValueData="" />
<!-- Ensure 'V-220921' is set to the required legal notice before logon-->
<OrganizationalSetting id="V-220921" ValueData="" />
<!-- Ensure ''V-220922'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
<OrganizationalSetting id="V-220922" ValueData="" />
<!-- Ensure ''V-220923'' -le '10'-->
<OrganizationalSetting id="V-220923" ValueData="" />
<!-- Ensure ''V-220924'' -match '1|2'-->
<OrganizationalSetting id="V-220924" ValueData="" />
<!-- Ensure ''V-220955'' -match '2|ShouldBeAbsent'-->
<OrganizationalSetting id="V-220955" ValueData="" />
<!-- Ensure ''V-252903'' -match '1|2'-->
<OrganizationalSetting id="V-252903" ValueData="" />
</OrganizationalSettings>

Просмотреть файл

@ -1,4 +1,4 @@
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 14 Nov 2022 3.4.0.34222 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.5" created="11/15/2022"> <DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R8_Manual-xccdf.xml" releaseinfo="Release: 8 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.8" created="11/17/2023">
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc"> <AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
<Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy"> <Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
<Description>&lt;VulnDiscussion&gt;The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
@ -271,7 +271,7 @@ Plug and Play activity records events related to the successful connection of ex
<LegacyId>V-63451</LegacyId> <LegacyId>V-63451</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective.
Use the AuditPol tool to review the current Audit Policy configuration: Use the AuditPol tool to review the current Audit Policy configuration:
Open a Command Prompt with elevated privileges ("Run as Administrator"). Open a Command Prompt with elevated privileges ("Run as Administrator").
@ -339,7 +339,7 @@ Audit Group Membership records information related to the group membership of a
<LegacyId>V-63457</LegacyId> <LegacyId>V-63457</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective.
Use the AuditPol tool to review the current Audit Policy configuration: Use the AuditPol tool to review the current Audit Policy configuration:
Open a Command Prompt with elevated privileges ("Run as Administrator"). Open a Command Prompt with elevated privileges ("Run as Administrator").
@ -644,7 +644,7 @@ Authorization Policy Change records events related to changes in user rights, su
<LegacyId>V-71761</LegacyId> <LegacyId>V-71761</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective.
Use the AuditPol tool to review the current Audit Policy configuration: Use the AuditPol tool to review the current Audit Policy configuration:
-Open a Command Prompt with elevated privileges ("Run as Administrator"). -Open a Command Prompt with elevated privileges ("Run as Administrator").
@ -732,7 +732,7 @@ Audit Other System Events records information related to cryptographic key opera
<LegacyId>V-63499</LegacyId> <LegacyId>V-63499</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective.
Use the AuditPol tool to review the current Audit Policy configuration: Use the AuditPol tool to review the current Audit Policy configuration:
Open a Command Prompt with elevated privileges ("Run as Administrator"). Open a Command Prompt with elevated privileges ("Run as Administrator").
@ -754,7 +754,7 @@ Audit Other System Events records information related to cryptographic key opera
<LegacyId>V-63503</LegacyId> <LegacyId>V-63503</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. <RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective.
Use the AuditPol tool to review the current Audit Policy configuration: Use the AuditPol tool to review the current Audit Policy configuration:
Open a Command Prompt with elevated privileges ("Run as Administrator"). Open a Command Prompt with elevated privileges ("Run as Administrator").
@ -1000,7 +1000,7 @@ Policy Change &gt;&gt; MPSSVC Rule-Level Policy Change - Failure
New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions. New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DesiredValue>10.0.190</DesiredValue> <DesiredValue>10.0.220</DesiredValue>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63349</LegacyId> <LegacyId>V-63349</LegacyId>
@ -1013,15 +1013,14 @@ A separate servicing branch intended for special-purpose systems is the Long-Ter
If the "About Windows" dialog box does not display the following or greater, this is a finding: If the "About Windows" dialog box does not display the following or greater, this is a finding:
"Microsoft Windows Version 20H2 (OS Build 190xx.x)" "Microsoft Windows Version 21H2 (OS Build 220xx.x)"
Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise. Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise.
Microsoft scheduled end-of-support dates for current Semi-Annual Channel versions: Microsoft scheduled end-of-support dates for current Semi-Annual Channel versions:
v20H2 - 9 May 2023 v22H2 - 14 Oct 2025
v21H1 - 13 Dec 2022 v21H2 - 13 Jun 2024
v21H2 - 11 June 2024
No preview versions will be used in a production environment. No preview versions will be used in a production environment.
@ -1086,7 +1085,7 @@ Copy the lines below to the PowerShell window and enter.
if ($lastLogin -eq $null) { if ($lastLogin -eq $null) {
$lastLogin = 'Never' $lastLogin = 'Never'
} }
Write-Host $user.Name $lastLogin $enabled Write-Host $user.Name $lastLogin $enabled
}" }"
This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).
@ -1158,23 +1157,21 @@ Approval must be documented with the ISSO.</RawString>
<LegacyId>V-102611</LegacyId> <LegacyId>V-102611</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Ensure there is a documented policy or procedure in place that non-persistent VM sessions do not exceed 24 hours. <RawString>Ensure there is a documented policy or procedure in place that nonpersistent VM sessions do not exceed 24 hours. If the system is NOT a nonpersistent VM, this is Not Applicable.
If there is no such documented policy or procedure in place, this is a finding.</RawString> If no such documented policy or procedure is in place, this is a finding.</RawString>
</Rule> </Rule>
<Rule id="V-220946" severity="medium" conversionstatus="pass" title="SRG-OS-000105-GPOS-00052" dscresource="None"> <Rule id="V-220946" severity="medium" conversionstatus="pass" title="SRG-OS-000105-GPOS-00052" dscresource="None">
<Description>&lt;VulnDiscussion&gt;Without the use of multifactor authentication, the ease of access to privileged and non-privileged functions is greatly increased. <Description>&lt;VulnDiscussion&gt;Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased.
All domain accounts must be enabled for multifactor authentication with the exception of local emergency accounts. All domain accounts must be enabled for multifactor authentication with the exception of local emergency accounts.
Multifactor authentication requires using two or more factors to achieve authentication. Multifactor authentication requires using two or more factors to achieve authentication.
Factors include: Factors include:
1) Something a user knows (e.g., password/PIN); 1) Something a user knows (e.g., password/PIN);
2) Something a user has (e.g., cryptographic identification device, token); and 2) Something a user has (e.g., cryptographic identification device, token); and
3) Something a user is (e.g., biometric). 3) Something a user is (e.g., biometric).
A privileged account is defined as an information system account with authorizations of a privileged user. A privileged account is defined as an information system account with authorizations of a privileged user.
@ -1193,7 +1190,7 @@ Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPO
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>If the system is not a member of a domain, this is Not Applicable. <RawString>If the system is not a member of a domain, this is Not Applicable.
If one of the following settings does not exist and is not populated, this is a finding: If one of the following settings does not exist and is not populated, this is a finding:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards</RawString> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards</RawString>
@ -1264,7 +1261,7 @@ Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a findin
<LegacyId>V-77085</LegacyId> <LegacyId>V-77085</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows 10 hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. <RawString>Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows 10 hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled.
For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.
@ -1296,23 +1293,23 @@ If the operating system drive or any fixed data drives have "Turn on BitLocker",
NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).</RawString> NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).</RawString>
</Rule> </Rule>
<Rule id="V-220705" severity="medium" conversionstatus="pass" title="SRG-OS-000370-GPOS-00155" dscresource="None"> <Rule id="V-220705" severity="medium" conversionstatus="pass" title="SRG-OS-000370-GPOS-00155" dscresource="None">
<Description>&lt;VulnDiscussion&gt;Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. <Description>&lt;VulnDiscussion&gt;Utilizing an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63345</LegacyId> <LegacyId>V-63345</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>This is applicable to unclassified systems; for other systems this is NA. <RawString>This is applicable to unclassified systems; for other systems, this is Not Applicable.
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universals apps installed by default on systems. Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
If an application whitelisting program is not in use on the system, this is a finding. If an application allowlisting program is not in use on the system, this is a finding.
Configuration of whitelisting applications will vary by the program. Configuration of allowlisting applications will vary by the program.
AppLocker is a whitelisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. AppLocker is an allowlisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
If AppLocker is used, perform the following to view the configuration of AppLocker: If AppLocker is used, perform the following to view the configuration of AppLocker:
Run "PowerShell". Run "PowerShell".
@ -1322,9 +1319,9 @@ Get-AppLockerPolicy -Effective -XML &gt; c:\temp\file.xml
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: Implementation guidance for AppLocker is available at the following link:
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm</RawString> https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide</RawString>
</Rule> </Rule>
<Rule id="V-220707" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None"> <Rule id="V-220707" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
<Description>&lt;VulnDiscussion&gt;Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
@ -1438,13 +1435,16 @@ If the group contains any accounts, the accounts must be specifically for backup
If the group contains any standard user accounts used for performing normal user tasks, this is a finding.</RawString> If the group contains any standard user accounts used for performing normal user tasks, this is a finding.</RawString>
</Rule> </Rule>
<Rule id="V-220715" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None"> <Rule id="V-220715" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
<Description>&lt;VulnDiscussion&gt;To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log onto workstations in a domain with their domain accounts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log on to workstations in a domain with their domain accounts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63367</LegacyId> <LegacyId>V-63367</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Run "Computer Management". <RawString>For standalone or nondomain-joined systems, this is Not Applicable.
Run "Computer Management".
Navigate to System Tools &gt;&gt; Local Users and Groups &gt;&gt; Users. Navigate to System Tools &gt;&gt; Local Users and Groups &gt;&gt; Users.
If local users other than the accounts listed below exist on a workstation in a domain, this is a finding. If local users other than the accounts listed below exist on a workstation in a domain, this is a finding.
@ -1571,7 +1571,7 @@ Technical means such as application whitelisting can be used to enforce the poli
The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.
Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet.
If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.</RawString> If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.</RawString>
</Rule> </Rule>
@ -1590,11 +1590,7 @@ Execute the following command:
Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, Thumbprint, NotAfter Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, Thumbprint, NotAfter
If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding.
Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US
Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4
NotAfter: 3/30/2028
Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US
Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582
@ -1624,34 +1620,89 @@ Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint". Scroll to the bottom and select "Thumbprint".
If the ECA Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If the ECA Root CA certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
ECA Root CA 2
Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4
Valid to: Thursday, March 30, 2028
ECA Root CA 4 ECA Root CA 4
Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582
Valid to: Sunday, December 30, 2029</RawString> Valid to: Sunday, December 30, 2029</RawString>
</Rule> </Rule>
<Rule id="V-220952" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="None"> <Rule id="V-220952" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="None">
<Description>&lt;VulnDiscussion&gt;The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure. <Description>&lt;VulnDiscussion&gt;The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure.
It is highly recommended to use Microsoft's Local Administrator Password Solution (LAPS). Domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default. The AO still has the overall authority to use another equivalent capability to accomplish the check.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> Windows LAPS must be used to change the built-in Administrator account password.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-99555</LegacyId> <LegacyId>V-99555</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Review the password last set date for the enabled local Administrator account. <RawString>If there are no enabled local Administrator accounts, this is Not Applicable.
On the local domain joined workstation: Review the password last set date for the enabled local Administrator account.
On the local domain-joined workstation:
Open "PowerShell". Open "PowerShell".
Enter "Get-LocalUser –Name * | Select-Object *” Enter "Get-LocalUser -Name * | Select-Object *".
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.</RawString> If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.
Verify LAPS is configured and operational.
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Administrative Templates &gt;&gt; System &gt;&gt; LAPS &gt;&gt; Password Settings &gt;&gt; Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding.
Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Administrative Templates &gt;&gt; System &gt;&gt; LAPS &gt;&gt; Password Settings &gt;&gt; Name of administrator Account to manage &gt;&gt; Set to enabled &gt;&gt; Administrator account name is populated. If it is not, this is a finding.
Verify LAPS Operational logs &gt;&gt; Event Viewer &gt;&gt; Applications and Services Logs &gt;&gt; Microsoft &gt;&gt; Windows &gt;&gt; LAPS &gt;&gt; Operational. Verify LAPS policy process is completing. If it is not, this is a finding.</RawString>
</Rule>
<Rule id="V-256894" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
<Description>&lt;VulnDiscussion&gt;Internet Explorer 11 (IE11) is no longer supported on Windows 10 semi-annual channel. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>
</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString />
<RawString>Determine if IE11 is installed or enabled on Windows 10 semi-annual channel.
If IE11 is installed or not disabled on Windows 10 semi-annual channel, this is a finding.
If IE11 is installed on a unsupported operating system and is enabled or installed, this is a finding.
For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer-</RawString>
</Rule>
<Rule id="V-257589" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="None">
<Description>&lt;VulnDiscussion&gt;When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it.
These audit events can assist in understanding how a computer is being used and tracking user activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>
</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString />
<RawString>Ensure Audit Process Creation auditing has been enabled:
Computer Configuration &gt;&gt; Policies &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Advanced Audit Policy Configuration &gt;&gt; Detailed Tracking &gt;&gt; Set to "Failure".
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
</Rule>
<Rule id="V-257593" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
<Description>&lt;VulnDiscussion&gt;Having portproxy enabled or configured in Windows 10 could allow a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>
</LegacyId>
<OrganizationValueRequired>False</OrganizationValueRequired>
<OrganizationValueTestString />
<RawString>Check the registry key for existence of proxied ports:
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\.
If the key contains v4tov4\tcp\ or is populated v4tov4\tcp\, this is a finding.
Run "netsh interface portproxy show all".
If the command displays any results, this is a finding.</RawString>
</Rule> </Rule>
</ManualRule> </ManualRule>
<PermissionRule dscresourcemodule="AccessControlDsc"> <PermissionRule dscresourcemodule="AccessControlDsc">
@ -1708,9 +1759,9 @@ If the "PasswordLastSet" date is greater than "60" days old for the local Admini
<Path>%SystemDrive%\</Path> <Path>%SystemDrive%\</Path>
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160). <RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding. If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
Viewing in File Explorer: Viewing in File Explorer:
Select the "Security" tab, and the "Advanced" button. Select the "Security" tab and the "Advanced" button.
C:\ C:\
Type - "Allow" for all Type - "Allow" for all
Inherited from - "None" for all Inherited from - "None" for all
@ -1808,9 +1859,9 @@ Alternately use icacls.
<Path>%ProgramFiles%</Path> <Path>%ProgramFiles%</Path>
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160). <RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding. If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
Viewing in File Explorer: Viewing in File Explorer:
Select the "Security" tab, and the "Advanced" button. Select the "Security" tab and the "Advanced" button.
\Program Files \Program Files
Type - "Allow" for all Type - "Allow" for all
Inherited from - "None" for all Inherited from - "None" for all
@ -1912,9 +1963,9 @@ Alternately use icacls.
<Path>%Windir%</Path> <Path>%Windir%</Path>
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160). <RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding. If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read &amp; execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
Viewing in File Explorer: Viewing in File Explorer:
Select the "Security" tab, and the "Advanced" button. Select the "Security" tab and the "Advanced" button.
\Windows \Windows
Type - "Allow" for all Type - "Allow" for all
Inherited from - "None" for all Inherited from - "None" for all
@ -2314,7 +2365,7 @@ Value: 0x00000001 (1)</RawString>
<ValueType>Dword</ValueType> <ValueType>Dword</ValueType>
</Rule> </Rule>
<Rule id="V-220704" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry"> <Rule id="V-220704" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
<Description>&lt;VulnDiscussion&gt;If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the pin length requires a greater number of guesses for an attacker.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the PIN length requires a greater number of guesses for an attacker.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<Ensure>Present</Ensure> <Ensure>Present</Ensure>
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
@ -2533,7 +2584,7 @@ This requirement is not applicable to dedicated VTC suites located in approved V
For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.
For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use.
If the built-in camera is not protected with a camera cover, or if the built-in camera is not disabled in the bios, this is a finding. If the built-in camera is not protected with a camera cover, or if the built-in camera is not disabled in the bios, this is a finding.
@ -2849,7 +2900,7 @@ Value: NistP384 NistP256</RawString>
<ValueType>MultiString</ValueType> <ValueType>MultiString</ValueType>
</Rule> </Rule>
<Rule id="V-220806" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile"> <Rule id="V-220806" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
<Description>&lt;VulnDiscussion&gt;Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting prevents systems from automatically establishing multiple connections. When both wired and wireless connections are available, for example, the less-preferred connection (typically wireless) will be disconnected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting prevents systems from automatically establishing multiple connections. When both wired and wireless connections are available, for example, the less-preferred connection (typically wireless) will be disconnected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<Ensure>Present</Ensure> <Ensure>Present</Ensure>
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
@ -2935,7 +2986,7 @@ Enabling "Include command line data for process creation events" will record the
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding. <RawString>If the following registry value does not exist or is not configured as specified, this is a finding.
Registry Hive: HKEY_LOCAL_MACHINE Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
Value Name: ProcessCreationIncludeCmdLine_Enabled Value Name: ProcessCreationIncludeCmdLine_Enabled
@ -3017,13 +3068,14 @@ Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)</RawString>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>Confirm Credential Guard is running on domain-joined systems. <RawString>Confirm Credential Guard is running on domain-joined systems.
For those devices that support Credential Guard, this feature must be enabled. Organizations need to take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled.
Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable.
Run "PowerShell" with elevated privileges (run as administrator).
Run "PowerShell" with elevated privileges (run as administrator).
Enter the following: Enter the following:
"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard"
@ -3032,8 +3084,10 @@ If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), t
Alternately: Alternately:
Run "System Information". Run "System Information".
Under "System Summary", verify the following: Under "System Summary", verify the following:
If "Device Guard Security Services Running" does not list "Credential Guard", this is finding.
If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding.
The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.
@ -3042,9 +3096,7 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\
Value Name: LsaCfgFlags Value Name: LsaCfgFlags
Value Type: REG_DWORD Value Type: REG_DWORD
Value: 0x00000001 (1) (Enabled with UEFI lock) Value: 0x00000001 (1) (Enabled with UEFI lock)</RawString>
</RawString>
<ValueData>1</ValueData> <ValueData>1</ValueData>
<ValueName>LsaCfgFlags</ValueName> <ValueName>LsaCfgFlags</ValueName>
<ValueType>Dword</ValueType> <ValueType>Dword</ValueType>
@ -3070,7 +3122,7 @@ Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\
Value Name: DriverLoadPolicy Value Name: DriverLoadPolicy
Value Type: REG_DWORD Value Type: REG_DWORD
Value: 1, 3, or 8 Value: 1, 3, or 8
Possible values for this setting are: Possible values for this setting are:
8 - Good only 8 - Good only
@ -3304,7 +3356,7 @@ Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\
Value Name: fAllowToGetHelp Value Name: fAllowToGetHelp
Value Type: REG_DWORD Value Type: REG_DWORD
Value: 0</RawString> Value: 0</RawString>
<ValueData>0</ValueData> <ValueData>0</ValueData>
@ -3544,7 +3596,7 @@ Value: 0x00000001 (1)</RawString>
<ValueType>Dword</ValueType> <ValueType>Dword</ValueType>
</Rule> </Rule>
<Rule id="V-220834" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile"> <Rule id="V-220834" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
<Description>&lt;VulnDiscussion&gt;Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. "Enhanced" includes additional information on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices. This requires the configuration of an additional setting available with v1709 and later of Windows 10. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. "Enhanced" includes additional information on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices. This requires the configuration of an additional setting available with v1709 and later of Windows 10.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<Ensure>Present</Ensure> <Ensure>Present</Ensure>
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
@ -3563,7 +3615,7 @@ Type: REG_DWORD
Value: 0x00000000 (0) (Security) Value: 0x00000000 (0) (Security)
0x00000001 (1) (Basic) 0x00000001 (1) (Basic)
If an organization is using v1709 or later of Windows 10 this may be configured to "Enhanced" to support Windows Analytics. V-82145 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics. This registry value will then be 0x00000002 (2).</RawString> If an organization is using v1709 or later of Windows 10, this may be configured to "Enhanced" to support Windows Analytics. V-220833 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics. This registry value will then be 0x00000002 (2).</RawString>
<ValueData>0</ValueData> <ValueData>0</ValueData>
<ValueName>AllowTelemetry</ValueName> <ValueName>AllowTelemetry</ValueName>
<ValueType>Dword</ValueType> <ValueType>Dword</ValueType>
@ -4283,7 +4335,7 @@ Enabling PowerShell script block logging will record detailed information from t
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding. <RawString>If the following registry value does not exist or is not configured as specified, this is a finding.
Registry Hive: HKEY_LOCAL_MACHINE Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
Value Name: EnableScriptBlockLogging Value Name: EnableScriptBlockLogging
@ -4555,7 +4607,7 @@ Value data: 1</RawString>
<OrganizationValueTestString /> <OrganizationValueTestString />
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding. <RawString>If the following registry value does not exist or is not configured as specified, this is a finding.
If the following registry value does not exist or is not configured as specified, this is a finding: If the following registry value does not exist or is not configured as specified, this is a finding:
Registry Hive: HKEY_CURRENT_USER Registry Hive: HKEY_CURRENT_USER
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CloudContent\ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CloudContent\
@ -4767,7 +4819,7 @@ Value Name: RequireStrongKey
Value Type: REG_DWORD Value Type: REG_DWORD
Value: 1 Value: 1
Warning: This setting may prevent a system from being joined to a domain if not configured consistently between systems.</RawString> Warning: This setting may prevent a system from being joined to a domain if not configured consistently between systems.</RawString>
<ValueData>1</ValueData> <ValueData>1</ValueData>
<ValueName>RequireStrongKey</ValueName> <ValueName>RequireStrongKey</ValueName>
@ -4812,7 +4864,7 @@ Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
Value Name: LegalNoticeText Value Name: LegalNoticeText
Value Type: REG_SZ Value Type: REG_SZ
Value: Value:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions: By using this IS (which includes any device attached to this IS), you consent to the following conditions:
@ -4869,7 +4921,7 @@ If a site-defined title is used, it can in no case contravene or modify the lang
If the following registry value does not exist or is not configured as specified, this is a finding: If the following registry value does not exist or is not configured as specified, this is a finding:
Registry Hive: HKEY_LOCAL_MACHINE Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Value Name: CachedLogonsCount Value Name: CachedLogonsCount
@ -5281,7 +5333,7 @@ Value Name: Enabled
Value Type: REG_DWORD Value Type: REG_DWORD
Value: 1 Value: 1
Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS otherwise the browser will not be able to connect to a secure site.</RawString> Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS otherwise the browser will not be able to connect to a secure site.</RawString>
<ValueData>1</ValueData> <ValueData>1</ValueData>
<ValueName>Enabled</ValueName> <ValueName>Enabled</ValueName>
@ -5621,7 +5673,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
<RootCertificateRule dscresourcemodule="CertificateDsc"> <RootCertificateRule dscresourcemodule="CertificateDsc">
<Rule id="V-220903.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC"> <Rule id="V-220903.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
<CertificateName>DoD Root CA 3</CertificateName> <CertificateName>DoD Root CA 3</CertificateName>
<Description>&lt;VulnDiscussion&gt;To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63579.a</LegacyId> <LegacyId>V-63579.a</LegacyId>
@ -5633,7 +5685,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
</Rule> </Rule>
<Rule id="V-220903.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC"> <Rule id="V-220903.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
<CertificateName>DoD Root CA 4</CertificateName> <CertificateName>DoD Root CA 4</CertificateName>
<Description>&lt;VulnDiscussion&gt;To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63579.b</LegacyId> <LegacyId>V-63579.b</LegacyId>
@ -5645,7 +5697,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
</Rule> </Rule>
<Rule id="V-220903.c" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC"> <Rule id="V-220903.c" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
<CertificateName>DoD Root CA 5</CertificateName> <CertificateName>DoD Root CA 5</CertificateName>
<Description>&lt;VulnDiscussion&gt;To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63579.c</LegacyId> <LegacyId>V-63579.c</LegacyId>
@ -5655,28 +5707,60 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
<RawString>DoD Root CA 5,4ECB5CC3095670454DA1CBD410FC921F46B8564B</RawString> <RawString>DoD Root CA 5,4ECB5CC3095670454DA1CBD410FC921F46B8564B</RawString>
<Thumbprint>4ECB5CC3095670454DA1CBD410FC921F46B8564B</Thumbprint> <Thumbprint>4ECB5CC3095670454DA1CBD410FC921F46B8564B</Thumbprint>
</Rule> </Rule>
<Rule id="V-220905.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC"> <Rule id="V-220905" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
<CertificateName>DoD Interoperability Root CA 2</CertificateName> <CertificateName>DoD Interoperability Root CA 2</CertificateName>
<Description>&lt;VulnDiscussion&gt;To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description> <Description>&lt;VulnDiscussion&gt;To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> <DuplicateOf />
<IsNullOrEmpty>False</IsNullOrEmpty> <IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63587.a</LegacyId> <LegacyId>V-63587</LegacyId>
<Location /> <Location />
<OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueRequired>True</OrganizationValueRequired>
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString> <OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
<RawString>DoD Interoperability Root CA 2,AC06108CA348CC03B53795C64BF84403C1DBD341</RawString> <RawString>Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates.
<Thumbprint>AC06108CA348CC03B53795C64BF84403C1DBD341</Thumbprint>
</Rule> Run "PowerShell" as an administrator.
<Rule id="V-220905.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
<CertificateName>DoD Interoperability Root CA 2</CertificateName> Execute the following command:
<Description>&lt;VulnDiscussion&gt;To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
<DuplicateOf /> Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter
<IsNullOrEmpty>False</IsNullOrEmpty>
<LegacyId>V-63587.b</LegacyId> If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
<Location />
<OrganizationValueRequired>True</OrganizationValueRequired> Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString> Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
<RawString>DoD Interoperability Root CA 2,49CBE933151872E17C8EAE7F0ABA97FB610F6477</RawString> Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
NotAfter: 11/16/2024
Alternately, use the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to Untrusted Certificates &gt;&gt; Certificates.
For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By":
Right-click on the certificate and select "Open".
Select the "Details" tab.
Scroll to the bottom and select "Thumbprint".
If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
Issued To: DoD Root CA 3
Issued By: DoD Interoperability Root CA 2
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
Valid to: Wednesday, November 16, 2024</RawString>
<Thumbprint>49CBE933151872E17C8EAE7F0ABA97FB610F6477</Thumbprint> <Thumbprint>49CBE933151872E17C8EAE7F0ABA97FB610F6477</Thumbprint>
</Rule> </Rule>
<Rule id="V-220906" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC"> <Rule id="V-220906" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
@ -5696,14 +5780,14 @@ Execute the following command:
Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter
If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
NotAfter: 8/26/2022 9:07:50 AM NotAfter: 7/18/2025 9:56:22 AM
Alternately use the Certificates MMC snap-in: Alternately, use the Certificates MMC snap-in:
Run "MMC". Run "MMC".
@ -5717,7 +5801,7 @@ Select "Local computer: (the computer this console is running on)", click "Finis
Click "OK". Click "OK".
Expand "Certificates" and navigate to "Untrusted Certificates &gt;&gt; Certificates". Expand "Certificates" and navigate to Untrusted Certificates &gt;&gt; Certificates.
For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By":
@ -5730,10 +5814,10 @@ Scroll to the bottom and select "Thumbprint".
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
NotAfter: 8/26/2022 9:07:50 AM</RawString> NotAfter: 7/18/2025 9:56:22 AM</RawString>
<Thumbprint>AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9</Thumbprint> <Thumbprint>9B74964506C7ED9138070D08D5F8B969866560C8</Thumbprint>
</Rule> </Rule>
</RootCertificateRule> </RootCertificateRule>
<SecurityOptionRule dscresourcemodule="SecurityPolicyDsc"> <SecurityOptionRule dscresourcemodule="SecurityPolicyDsc">